Configuring Patch Schedules

Introduction

Patching the resources consistently ensures complete protection against any security threat. Configuring the patch schedule allows the administrator to decide when to apply the patch updates.

Adding and scheduling patches

To add a patch configuration:

1. Select a client from the All Clients list.
2. Go to Automation > Patch Management > Patch Configuration and click Add.
3. From Add Patch Configuration, provide the following:
   • Select Client
   • Patch Configuration Name: Refers to the name for the patch ready for installation.
   • Description: Refers to the patch details.
   • Apply To: Refers to applying the patch to desktops or servers.
   • Resource Groups: Refers to applying patches to Windows and Linux devices in the resource groups.
4. After providing the basic details, navigate to the Assign Devices section.
5. From Assign Devices, select the devices from the Available Devices section.
   The selected devices appear in the Assigned Devices section.
6. After selecting the devices, navigate to Approval Type.
7. From Approval Type, select one of the following options:
   • Manual Approve
   • Auto Approve
8. After selecting Approval Type, navigate to Reboot Options.
9. From Reboot Options, select one of the following options:
   • Do not reboot
   • Reboot after install if required
10. After selecting the reboot options, navigate to the Patching Schedule section.
11. From Patching Schedule, provide the following parameter:
    • Select Time Zone: The patching process runs according to the selected time zone. For existing patch configurations, Resource Time Zone is automatically assigned.
    • Start Date: Select the date and time (In hours and minutes) to start the patching process.
    • Recurrence Pattern: Select the pattern to run the patching process. For example, Run On Demand, Patch Tuesday.
      Note: For Windows, select Patch Tuesday to schedule the patch installation process. This selection helps to align patching with Microsoft’s Patch Tuesday every month. You can set up patching to trigger at an offset of up to 26 days after the Patch Tuesday of every month. For example, if the Patch Tuesday of the current month falls on the 11th, then an offset of one day schedules the patching to trigger on the 12th of the same month. Similarly, if Patch Tuesday falls on the 9th of the following month, then patching for the same schedule triggers again on the 10th.
    • Enable patching during shutdown/reboot: Select to enable automatic patching when the device is in shutdown or reboot mode.
    • Enable maintenance: Select to enable maintenance period.
      • Escalate maintenance alerts when window ends: Toggle ON or OFF to escalate maintenance alerts that do not auto-resolve after the patch maintenance duration.
        To view the Escalate maintenance alerts when period ends column displaying Yes or No according to the selection, go to Infrastructure > Maintenance.
      • Select schedule duration: After enabling the maintenance period, select the desired duration.
    • Add Users: To add users, do the following:
      1. Click +Add Users.
      2. From the Users screen, select the desired users.
      3. Click Add Users.
         The selected users receive an email notification after completing the patch configuration job.
12. Click Finish.

Viewing the patch configuration list

View the configured patches in Patch Management > Patch Configuration.

The following table describes the various attributes displayed on the Patch Configuration page:

Patch Status

The Patch Status tracks the Installed, In Progress, and Failed patches in the patch configuration. The In Progress column displays the number of patches that are in the process of installation and are yet to be installed.

For example, if there are 100 patches ready for installation, the corresponding patch status is:

• Installed - 0
• Progress - 100
• Failed - 0

After five successful and three failed patch installations, the patch status is:

• Installed - 5
• Progress - 92
• Failed - 3

Internal patch configuration process

After the patch configuration job begins, the agent executes the following:

Step 1: Agent receives control MSG xml (as seen in debug logs)

<cm><id>MISSING_PATCH_DL_IN</id><reqid>2018-06-25 06:49:14</reqid><params>2</params></cm>

Step 2: Agent sends response

<cm><id>RES_MISSING_PATCH_DL_IN</id><response><![CDATA[<winadviceinfo><result params=”2″>success</result><reqid>2018-06-25 06:49:14</reqid></winadviceinfo>]]></response></cm>

Step 3: Agent receives control MSG xml

<cm><id>MISSING_PATCH_DL_IN_LIST</id><reqid>0</reqid><params><ps><p><name>fcoe-utils-1.0.28-6.el6.x86_64 — “”</name><name>curl-7.19.7-53.el6_9.x86_64 — “”</name><name>libtiff-3.9.4-21.el6_8.x86_64 — “”</name><name>efibootmgr-0.5.4-15.el6.x86_64 — “”</name><name>grep-2.20-6.el6.x86_64 — “”</name></p><list>0</list></ps></params></cm>

The agent saves the kbid in path location /opt/opsramp/agent/tmp/approved_pkgs.json file.

Step 4: Agent runs patch install job

The following commands are used (depending on the OS) to generate a patch_install_result.json file in path location /opt/opsramp/agent/tmp/patch_install_result.json:

• Ubuntu – /usr/bin/python /opt/opsramp/agent/lib/apt_frame.py install
• CentOS, Fedora – /usr/bin/python /opt/opsramp/agent/lib/yum_frame.py install
• SUSE - /usr/bin/python /opt/opsramp/agent/lib/zypper_frame.py install
• DARWIN – /usr/bin/python /opt/opsramp/agent/lib/mac_frame.py install

After running the patch install job, the agent checks for the KBIDs that requires a reboot.